1. Field
The present invention relates to an anti-shoulder surfing authentication method.
2. Relevant Background
Today, the use of client devices (also known as access terminals, remote stations, computing devices, etc.) is widespread. Such client devices can be either fixed (e.g., desktop computer) or mobile. Such mobile devices can provide a user with wireless phone access, Internet access, access to computer systems (personal, corporate, government, etc.), allow the user to perform on-line transactions such as on-line shopping, on-line banking, as well as other applications such as finding maps to particular locations, etc. Thus, today's mobile devices allow for wireless communication as well as almost all of the communication and Internet features associated with non-mobile or fixed computer systems. Examples of such mobile devices include: laptop (also known as notebook) computers, smart phones, cellular phones, personal digital assistants (PDAs), digital cameras, tablet computers, etc.
Passwords are widely used to protect personal information and asset information when a user connects to a server site. Such a protection method allows a connection to a server site and access to personal information, using the password set by a user. Unfortunately, when a password is exposed, attackers may obtain the password and then potentially access a user's personal information and asset information. Examples of such server sites that use password protection include server sites related to banks, stores, work, school, data centers, etc.
In particular, because of the rise of mobile devices, oftentimes mobile devices access server sites that perform personal transactions, at crowded locations, where a shoulder surfing attack may occur. Shoulder surfing is a security attack where the attacker obtains sensitive information through the direct observation of the user information entered at the mobile device, for example, by looking directly over someone's shoulder (or by other means). Password based authentication is one of the most widely deployed authentication schemes. Shoulder surfing attacks pose a serious threat for password based authentication.
An example of this is when a user logs into their private account at a server site (e.g., bank, store, work, school, data center, etc.) at a public location (e.g., conference room, coffee shop, library, mall, etc.) with their mobile device. The mobile device's screen, keyboard or the user's hand movements may be completely exposed and viewed by an attacker. Based upon the attacker's direct observations, the attacker can later successfully log into the same account at the sever site with the observed username and password. Many online applications and services employ password based authentication in a client-server model. The user does not have any control over the implementation at the server end. Therefore, techniques are sought after to prevent shoulder surfing attacks based upon potential direct observations of the username, password, and server site visited by a user with their client device by an attacker.